MrData spamming the channels

[Nos78]

Someone was able to misappropriate MrData, and use it to send spam.

Initial investigation reveals that it was probably via the discord API bot token, which is used to verify the bot's identity. With this token, any malicious piece of code can log in as the bot and run its own code.

So I have changed the token. The token should not be stored in version control (and indeed, it isn't...) but there was a version of config-secret.json and the initial version of config.json that had the bot's token in it.

It is no coincidence that the spam started occuring on the same day and not five minutes after I made the repository public!

Check the code base to ensure there is nothing compromised, and additionally, add some logging for every command being executed.

[Nos78]

The bot token was again published by mistake to github.

Discord has been improved since this issue last arose, and so, within the discord software, I was instantly notified that my bot token had been published to the Internet. What a cool feature! They automatically rotated my secret key, so I had to modify the config.

I need a way of stopping config-secret.json from accidentally being uploaded.

[Nos78]

Okay, having done a few Google searches, it appears that whilst there are ways to lock a particular file from being changed, the most sensible method appears to use a template file (which is effectively what I am doing) with the extension .TMPL, and in the install instructions or script, you rename the file to its correct name.

So:

1. Rename the blank config-secret.json to be config-secret.json.TMPL
2. Remove config-secret.json from the repository so that it is untracked. That should prevent the file being accidentally committed, since I'm not going to manually add it back!